What is token-based authentication?

I want to understand what token-based authentication means. I searched the internet but couldn’t find anything understandable.

8 s
8

I think it’s well explained here — quoting just the key sentences of the long article:

The general concept behind a
token-based authentication system is
simple. Allow users to enter their
username and password in order to
obtain a token which allows them to
fetch a specific resource – without
using their username and password.
Once their token has been obtained,
the user can offer the token – which
offers access to a specific resource
for a time period – to the remote
site.

In other words: add one level of indirection for authentication — instead of having to authenticate with username and password for each protected resource, the user authenticates that way once (within a session of limited duration), obtains a time-limited token in return, and uses that token for further authentication during the session.

Advantages are many — e.g., the user could pass the token, once they’ve obtained it, on to some other automated system which they’re willing to trust for a limited time and a limited set of resources, but would not be willing to trust with their username and password (i.e., with every resource they’re allowed to access, forevermore or at least until they change their password).

If anything is still unclear, please edit your question to clarify WHAT isn’t 100% clear to you, and I’m sure we can help you further.

Leave a Comment